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Attorney, Agent, or 



le present invention provides systems and methods for secure 
transaction management and electronic rights protection. Electronic 
appliances such as computers equipped in accordance with the 
present invention help to ensure that information is accessed and 
used only in authorized ways, and maintain the integrity, availability, 
and/or confidentiality of the information. Such electronic appliances 
provide a distributed virtual distribution environment (VDE) that may 
enforce a secure chain of handling and control, for example, to 
control and/or meter or otherwise monitor use of electronically 
stored or disseminated information. Such a virtual distribution 
environment may be used to protect rights of various participants in 
electronic commerce and other electronic or electronic-facilitated 
transactions. Distributed and other operating systems, environments 
and architectures, such as, for example, those using tamper- 
resistant hardware-based processors, may establish security at 
each node. These techniques may be used to support an all- 
electronic information distribution, for example, utilizing the 
"electronic highway." 
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CLAIMS: We claim: 
fHide claimsl : 1 . A process which takes place in an apparatus including a 
secure processing unit, comprising the following steps: 

• accessing a first record containing information directly or 
indirectly identifying one or more elements of a first 
component assembly, at least one of said elements including 
at least some executable programming; 

• using said information to identify and locate said one or more 
elements; 

o said step of identifying and locating one or more 
elements includes locating one or more load modules, 
said load module(s) locating step comprising: 

■ searching in at least one memory of said secure 
processing unit to determine whether at least 
one of said one or more load modules is located 
in said memory; 

■ if at least one of said one or more load modules 
is located in a memory of said secure 
processing unit, loading and using said load 
module without decrypting said load module; 
and 

■ if at least one of said one or more load modules 
is located outside of a memory of said secure 
processing unit, decrypting said load module 
prior to use of said load module; 

• accessing said located one or more elements; 

• securely assembling said one or more elements to form at 
least a portion of said first component assembly; and 

• executing at least some of said executable programming. 

2. A process as in c laim 1 in which at least one memory of said 
secure processing unit contains at least one load module relating to 
a budget method. 

3. A process as in claim 1 in which at least one memory of said 
secure processing unit contains at least one load module relating to 
a billing method. 

4. A process as in claim 1 in which at least one memory of said 
secure processing unit contains at least one load module relating to 
an audit method. 

5. A process as in cl aim 1 in which at least one memory of said 
secure processing unit contains at least one load module relating to 
an aggregate method comprising budgeting, billing and auditing 
functions. 

6. A process comprising the following steps: 

• accessing a first record containing information directly or 



http://www.delphion.com/details?&pn==US059 1 79 1 2_&s_clms= 1 



3/5/01 



System and methods for secure transaction management and electronic rights protection (.. Page 16 of 31 



• accessing a first record containing information directly or 
indirectly identifying one or more elements of a first 
component assembly, 

o at least one of said elements including at least some 

executable programming, 
o at least one of said elements constituting a load 

module, 

■ said load module including executable 
programming and a header; 

■ at least a portion of said header is a public 
portion which is characterized by a relatively 
lower level of security protection; and 

■ at least a portion of said header is a private 
portion which is characterized, at least some of 
the time, by a level of security protection which 
is relatively higher than said relatively lower 
level of security protection, 

• using said information to identify and locate said one or more 
elements; 

• accessing said located one or more elements; 

• securely assembling said one or more elements to form at 
least a portion of said first component assembly; 

• executing at least some of said executable programming; and 

• checking said record for validity prior to performing said 
executing step. 

7. A process as in claim 6 in which: 

• said relatively lower level of security protection comprises 
storing said public header portion in an unencrypted state; 
and 

• said relatively higher level of security protection comprises 
storing said private header portion in an encrypted state. 

8. A process comprising the following steps: 

• accessing a first record containing information directly or 
indirectly identifying one or more elements of a first 
component assembly, 

• at least one of said elements including at least some 
executable programming, 

• at least one of said elements constituting a load module, 

o said load module including executable programming 
and a header; 

■ said header including an execution space 
identifier identifying at least one aspect of an 
execution space required for use and/or 
execution of the load module associated with 
said header; 

said execution space identifier provides the capability for 
distinguishing between execution spaces providing a higher level of 
security and execution spaces providing a lower level of security; 

• using said information to identify and locate said one or more 
elements; 

• accessing said located one or more elements; 

• securely assembling said one or more elements to form at 
least a portion of said first component assembly; 

• executing at least some of said executable programming; and 

• checking said record for validity prior to performing said 
executing step. 
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9. A process as in claim 8 in which said execution space 
providing a higher level of security comprises a secure processing 
environment. 

10. A process as in claim 9 in which said secure processing 
environment contains at least one secure processing unit. 

1 1 . A process as in claim 10 in which said execution space 
providing a lower level of security comprises a host event 
processing environment. 

12. A process as in claim 1 1 in which said host event processing 
environment does not contain a secure processing unit. 

13. A process as in claim 8 further comprising: 

• comparing said execution space identifier against information 
identifying the execution space in which said executing step 
is to occur; and 

• taking an action if said execution space identifier requires an 
execution space with a security level higher than that of the 
execution space in which said executing step is to occur. 

14. A process as in claim 13 in which said action includes 
terminating said process prior to said executing step. 

15. A process as in claim 14 in which said action includes failing 
to include said load module in said component assembly. 

16. A process as in claim 15 further comprising: 

• following said action, attempting to locate a second load 
module, incorporating a second execution space identifier, for 
inclusion in said component assembly. 

17. A process as in cl a i m 6 in which: 

• said private header portion includes a check value calculated 
based on the contents of said public portion; and 

• said process further includes the step of using said check 
value to determine whether said public portion has been 
altered or replaced in an unauthorized manner. 

18. A process as in claim 6 in which said private header portion 
includes one or more tags. 

19. A process as in claim 18 in which at least one of said tags 
comprises an access tag. 

20. A process as in claim 19 further comprising: 

• checking said access tag at some point before said execution 
step, in order to determine if use of said load module will be 
allowed. 

21 . A process as in claim 6 in which said private header portion 
includes one or more digital signatures. 

22. A process as in claim 21 further comprising: 

• checking said digital signature at some point before said 
executing step; and 

• taking at least one action depending on the outcome of said 
checking step. 

23. A process as in claim 22 in which said at least one action 
includes terminating said process prior to said executing step. 

24. A process as in claim 22 in which said at least one action 
includes allowing said executing step to proceed. 

25. A process as in claim 22 in which: 
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• said at least one action includes replacing the load module 
containing said digital signature with a second load module, 
and 

• said process further includes incorporating said second load 
module into said component assembly. 

26. A process as in cjajm22 in which said digital signature 
checking step includes identifying the creator of said digital 
signature. 

27. A process as in claim 6 in which said private header portion 
includes at least one check value representing at least one aspect of 
the state of said load module. 

28. A process as in claim 27 further comprising: 

• comparing said check value to an expected value; and 

• taking at least one action based on the results of said 
comparison. 

29. A process as in claim 28 in which said at least one action 
includes terminating said process prior to said executing step. 

30. A process as in claim 28 in which: 

• said load module comprises a first load module; 

• at least one action includes accessing a second load module; 
and 

• said securely assembling step comprises assembling said 
component assembly using said second load module but not 
said first load module. 

31 . A process comprising the following steps: 

• accessing a first record containing information directly or 
indirectly identifying one or more elements of a first 
component assembly, 

o at least one of said elements including at least some 
executable programming consisting of at least two 
code segments; 

■ a first of said code segments being written in a 
first programming language; and 

■ a second of said code segments being written 
in a second programming language different 
from said first programming language, 

o at least one of said elements constituting a load 
module, said load module including executable 
programming; 

• using said information to identify and locate said one or more 
elements; 

• accessing said located one or more elements; 

• securely assembling said one or more elements to form at 
least a portion of said first component assembly; 

o choosing said first code segment for inclusion in said 

component assembly; 
o including said first code segment in said component 

assembly; and 
o excluding said second code segment from said 

component assembly; 

• executing at least some of said first code segment executable 
programming; and 

• checking said record for validity prior to performing said 
executing step. 
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32. A process as in claim 31 , in which: 

• said executing step takes place in a processing environment; 
and 

• said choosing step includes identifying said first code 
segment as being more suited for execution at said 
processing environment than said second code segment. 

33. A process as in claim 32 in which said step of identifying said 
first code segment as being more suited is based at least in part on 
the programming language in which said first code segment is 
written. 

34. A process comprising the following steps: 

• at a first processing environment receiving a first record from 
a second processing environment remote from said first 
processing environment; 

o said first record containing identification information 
directly or indirectly identifying one or more elements 
of a component assembly; 

■ at least one of said elements including at least 
some executable programming; 

■ a first of said elements being designed to carry 
out or participate in metering of user activities; 

■ a second of said elements being designed to 
carry out or participate in budgeting functions 
said second element specifying a credit 
method; 

■ said component assembly allowing access to or 
use of specified information; 

• accessing said first record; 

• using said identification information to identify and locate said 
one or more elements; 

o said element locating step including locating said first 
element at said second processing environment and 
locating said second element at a third processing 
environment located remotely from said first 
processing environment and said second processing 
environment; 

• accessing said located one or more elements; 

o said element accessing step including retrieving said 
first element from said second processing environment 
and retrieving said second element from said third 
processing environment; 

• securely assembling said one or more elements to form at 
least a portion of said component assembly specified by said 
first record; and 

• executing at least some of said executable programming, 

• said executing step taking place at said first processing 
environment; 

• said executing step including metering use of said specified 
information, using said first element. 

35. A process comprising the following steps: 

• at a first processing environment receiving a first record from 
a second processing environment remote from said first 
processing environment; 

o said first record being received in a secure container; 
o said first record containing identification information 

directly or indirectly identifying one or more elements 

of a first component assembly; 
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of a first component assembly; 

■ at least one of said elements including at least 
some executable programming; 

■ said component assembly allowing access to or 
use of specified information; 

o said secure container also including a first of said 
elements; 

• accessing said first record; 

• using said identification information to identify and locate said 
one or more elements; 

o said locating step including locating a second of said 
elements at a third processing environment located 
remotely from said first processing environment and 
said second processing environment; 

• accessing said located one or more elements; 

o said element accessing step including retrieving said 
second element from said third processing 
environment; 

• securely assembling said one or more elements to form at 
least a portion of said first component assembly specified by 
said first record; and 

• executing at least some of said executable programming, 

o said executing step taking place at said first 
processing environment. 

36. A process as in clai m 35 in which: 

• said first element comprises a metering method; and 

• said executing step includes using said first element to meter 
use of said specified information. 

37. A process as in claim 36 in which: 

• said second element comprises a credit method; and 

• said executing step includes charging against credit supplied 
by said credit method in return for use of said specified 
information. 

38. A process comprising the following steps: 

• creating an initial channel; 

• after creation of said initial channel, creating a first channel; 

o said initial channel allocating said first channel to 
handle a first component assembly; 

• accessing a first record containing information directly or 
indirectly identifying one or more elements of said first 
component assembly, at least one of said elements including 
at least some executable programming; 

• using said information to identify and locate said one or more 
elements; 

• accessing said located one or more elements; 

• within said first channel, securely assembling said one or 
more elements to form at least a portion of said first 
component assembly; and 

• executing at least some of said executable programming. 

39. A process as in cl aim 38 in which said step of said initial 
channel allocating said first channel includes: 

• making, with said initial channel, one or more calls to a 
secure database manager; and 
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• returning, from said secure database manager, a channel 
blueprint from a secure database. 

40. A process as in claim 3 9 in which said step of creating a first 
channel is based at least it part on said channel blueprint. 

41 . A process as in claim 40 in which: 

• said channel blueprint includes at least one tag; and 

• said step of creating a first channel includes checking said 
tag to determine the validity or suitability of said channel 
blueprint. 

42. A process as in claim 41 in which said first channel includes a 
channel header. 

43. A process as in claim 42 in which said step of creating a first 
channel includes incorporating information into said first channel 
header. 

44. A process as in claim 43 in which said incorporated 
information includes user identification information. 

45. A process as in claim 44 in which said incorporated 
information includes object identification information. 

46. A process as in claim 45 in which said incorporated 
information includes a reference to the type of function to be 
processed by said first channel. 

47. A process as in claim 46 in which said step of creating a first 
channel includes: 



• accessing a control method; and 

• binding said control method to said first channel. 

48. A process as in claim 47 in which said assembling step 
includes binding at least one of said elements to said first channel. 

49. A process as in claim 48 in which said assembling step 
includes said control method obtaining memory allocations required 
for said executing step. 

50. A process as in claim 49 in which said step of accessing said 
one or more located elements includes accessing, with said control 
method, at least one of said elements from a secure database. 

51. A process as in claimSO in which said step of assembling 
includes calling, with said control method, an encryption manager to 
decrypt at least one of said elements. 

52. A process as in claim 51 in which said step of assembling 
includes calling a tag manager with said control method, and 
comparing, with said tag manager, a tag contained in one of said 
elements with an expected value or range of values. 

53. A process as in c laim 52 in which: 

• said first channel further includes an event queue; 

• said method further comprising writing at least one event into 
said event queue. 

54. A load module comprising: 

• a load module header including a public portion and a private 
portion: 

o said public portion including identification information; 
o said private portion including at least one correlation 
tag; 

■ said correlation tag including information used 
to determine whether a method has 
authorization to call or load the load module; 
and 

• a load module body including: 
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o executable programming which calls or includes: 

■ programming which controls at least one aspect 
of use of at least one file, said programming 
calling or including programming which provides 
information relating to the user of said file to an 
external site; 

said programming providing information provides such information in 
a summary fashion which does not include information deemed 
confidential by said user; and 

o a reference to data; 

■ at least some of said data being associated with 
or used by said executable programming. 

55. An operating system comprising: 

• component assembling programming which assembles a 
plurality of elements into a component, said component 
assembling programming including; 

o validation programming used to validate said 
elements, said validation programming including: 

■ tag checking programming used to check the 
identity, validity or integrity of elements by 
comparing tags incorporated in said elements 
to expected values; and 

o element identification and referencing programming; 
and 

• an object switch which controls and communicates objects, 
said object switch including: 

o a stream router; 
o one or more stream interfaces; 
o a container manager used to manage secure 
containers; 

■ said container manager contains programming 
which recognizes secure containers and 
performs operations on said secure containers; 

o buffering and storage programming; and 
o an object switch interface. 

56. An operating system as in claim 55, in which: 

• said operations include: 

o constructing secure containers; 
o opening secure containers; and 
o routing secure containers. 

57. A component assembly comprising: 

• a first load module and a second load module, each load 
module comprising: 

• a load module header, made up of a public portion and a 
private portion; 

o said public portion including identification information; 
o said private portion including at least one correlation 
tag; 

■ said correlation tag including information used 
to determine whether a method has 
authorization to call or load the load module; 
and 
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• a load module body, including: 

o executable programming which calls or includes: 

■ programming which controls at least one aspect 
of use of at least one file, 

■ said programming controlling at least one 
aspect of use of at least one file calls or 
includes programming which provides 
information relating to the user of said file to an 
external site; 

said programming providing information provides such information in 
a summary fashion which does not include information deemed 
confidential by said user; and 

o a reference to data; 

■ at least some of said data being associated with 
or used by said executable programming. 

58. A component assembly comprising: 

• a first load module received from a first source and a second 
load module received from a second source remote from said 
first source, each load module comprising: 

o a load module header, made up of a public portion and 

a private portion; 
o said public portion including identification information; 
o said private portion including at least one correlation 

tag; 

■ said correlation tag including information used 
to determine whether a method has 
authorization to call or load the load module; 
and 

• a load module body, including: 

o executable programming; and 
o a reference to data; 

■ at least some of said data being associated with 
or used by said executable programming. 
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